Admin can create, edit, or delete a role
- Megan Forbes
- Sanjay Dalal (Unlicensed)
User Story
An administrator may create, edit, or delete a role via the roles and permissions section of the administration menu. See below user stories for specific types of roles that may be created and edited in CollectionSpace 1.0.
Notes
UI -> Service mapping
Access -> Read
Write -> Create, Read, Update
Delete -> Delete
Read Only -> Read, No Update, No Delete
Note: For Read-Only permissions, the App layer would have to render pages only after checking if the user also has Update and/or Delete permissions at the service layer. ReadOnly permission enforcement would require the following 3 permission enforcements in the App layer:
- Check if READ is allowed but also ...
- make sure UPDATE is not allowed AND
- make sure DELETE is not allowed
Dan has mentioned in the earlier STIM on this topic that, the app layer would perform its own access control check. Sanjay’s interpretation: when it comes to controlling the access on UI-owned resources such as pages, widgets, etc., the App layer would enforce additional access control.
Related User Stories:
- Admin can create a new role allowing no access, read, write, and delete at the record level
- Admin can create a new role allowing read or write at the field level
- Admin can edit an existing role
- Admin can delete a role